Users and user groups

SSO user groups

SSO user groups are part of FSSO authentication and contain only Windows or Novell network users. No other user types are permitted as members. Information about the Windows or Novell user groups and the logon activities of their members is provided by the Fortinet Single Sign On (FSSO) which is installed on the network domain controllers.

You can specify FSSO user groups in security policies in the same way as you specify firewall user groups. FSSO user groups cannot have SSL VPN or dialup IPsec VPN access.

For information about configuring FSSO user groups, see Creating Fortinet Single Sign-On (FSSO) user groups on page 178. For complete information about installing and configuring FSSO, see Agent-based FSSO on page 142.

Configuring Peer user groups

Peer user groups can only be configured using the CLI. Peers are digital certificate holders defined using the config user peer command. The peer groups you define here are used in dialup IPsec VPN configurations that accept RSA certificate authentication from members of a peer certificate group.

To create a peer group – CLI

config user peergrp edit vpn_peergrp1 set member pki_user1 pki_user2 pki_user3

end

Viewing, editing and deleting user groups

To view the list of FortiGate user groups, go to User & Device > User Groups.

Editing a user group

When editing a user group in the CLI you must set the type of group this will be — either a firewall group, a Fortinet Single Sign-On Service group (FSSO), a Radius based Single Sign-On Service group (RSSO), or a guest group. Once the type of group is set, and members are added you cannot change the group type without removing the members.

In the web-based manager, if you change the type of the group any members will be removed automatically.

To edit a user group – web-based manager

  1. Go to User & Device > User Groups.
  2. Select the user group that you want to edit.
  3. Select the Edit
  4. Modify the user group as needed.
  5. Select OK.

To edit a user group – CLI

This example adds user3 to Group1. Note that you must re-specify the full list of users:

config user group edit Group1 set group-type firewall set member user2 user4 user3

end

Deleting a user group

Before you delete a user group, you must ensure there are no objects referring to, it such as security policies. If there are, you must remove those references before you are able to delete the user group.

To remove a user group – web-based manager

  1. Go to User & Device > User Groups.
  2. Select the user group that you want to remove.
  3. Select the Delete
  4. Select OK.

To remove a user group – CLI

config user group delete Group2

end

SSL renegotiation in firewall authentication

The auth-ssl-allow-renegotiation option is available under config user setting to allow/forbid SSL renegotiation in firewall authentication. The default value is disable, where a session would be terminated by authd once renegotiation is detected and this login would be recorded as a failure. Other behavior follows regular authentication settings.

To enable SSL renegotiation – CLI

config user setting set auth-ssl-allow-renegotiation enable end

 

This entry was posted in FortiGate, FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Users and user groups

  1. Anabella Cristaldi

    Hi Mike, One question: if I have LDAP Users and a remote Radius Group which will check first given an username and password? I’m not able to see If the order is defined somewhere
    Thank you

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.